Property Detail

• static Integer DEFAULT_AES_ITERATIONS

  The default number of iterations of SHA-256 hashing of the AES IV when AES encryption or decryption is performed. Default: 5000 iterations.

  See Also:

  decryptWithAES256(byte[], byte[], byte[], java.lang.Integer)

  encryptWithAES256(byte[], byte[], java.lang.String, java.lang.Integer)

• KeyPair key_pair

  A decoded RSA key pair used for encryption and decryption, and signing.

  See Also:

  setKey_pair(java.lang.String)

  getRsa_keysize()

Constructor Detail

• SecurityIO()

  Instantiates an unconfigured instance of this class. Call setKey_pair(java.lang.String) to properly use this class.

• SecurityIO(String private_key_pem)

  Instantiates the class and configures a private key for decryption. Automatically calls setKey_pair(java.lang.String) as part of instantiating.

  Parameters:

  private_key_pem - The contents of an X.509 PEM encoded RSA private key.

  See Also:

  setKey_pair(java.lang.String)

Method Detail

• static def avoidTimingAttack(Integer milliseconds, Closure body)

  This is a constant-time function intended to wrap security-sensitive code. This forces code to always take a certain amount of time regardless of input in order to have a constant-time result to avoid timing based attacks.

  If milliseconds is a negative number, e.g. -200, then the delay will be randomized between 0 and milliseconds but not more than milliseconds.

  Security Notes

  Please Note: due to how time works on computers sometimes the time can be 1 or 2 ms over the time you specify. If you have an absolute maximum, then you should account for this in the value you pass. This function can't guarantee absolute maximum.

  Please Note: this function provides fixed maximum delays. If code being called goes over this fixed delay, then timing attacks are still possible on your code. You should account for this with defensive programming such as validating inputs on security sensitive code before calling algorithms.

  Please note: randomized delay can have a limit. If an attacker has infinite time and unlimited samples, then statistically randomness goes away. This function makes it harder to calculate timing attacks; other protections should be in place on your code endpoints such as request limits within a given time frame.

  Please note: These notes are known as defense in depth. Have multiple controls around securing your code in case one control fails. Knowing the weakness of different controls enables you to better secure it with additional layers of security.

  Sample usage

  To run this example, clone Jervis and execute ./gradlew console to bring up a Groovy Console with the classpath set up.

  
  import static net.gleske.jervis.tools.SecurityIO.avoidTimingAttack
  import java.time.Instant
  
  Integer mysecret = 0
  Long before = Instant.now().toEpochMilli()
  // Force code to always take 200ms
  avoidTimingAttack(200) {
      mysecret = 1+1
  }
  assert mysecret == 2
  println("Time taken (milliseconds): ${Instant.now().toEpochMilli() - before}ms")
  
  before = Instant.now().toEpochMilli()
  // Force code to randomly delay up to 200ms
  avoidTimingAttack(-200) {
      mysecret = mysecret + 2
  }
  assert mysecret == 4
  println("Time taken (milliseconds): ${Instant.now().toEpochMilli() - before}ms")
  
  before = Instant.now().toEpochMilli()
  // Set an implicit value.  Minimum execution time is 100ms random between 100-200ms.
  mysecret = avoidTimingAttack(100) {
      avoidTimingAttack(-200) {
          mysecret + mysecret
      }
  }
  assert mysecret == 8
  println("Time taken (milliseconds): ${Instant.now().toEpochMilli() - before}ms")
  

  Parameters:

  milliseconds - The number of milliseconds a section of code must minimally take. If milliseconds is negative, then randomly delay up to the value. In both cases, the maximum delay is fixed at the absolute value of milliseconds.

  body - A closure of code to execute. The code will execute as fast as it can and this function will enforce a constant time.

  Returns:

  Returns the result from the executed closure.

• static byte[] decodeBase64Bytes(String content)

  Decode a base64 String into Bytes.

  Parameters:

  content - Base64 encoded String.

  Returns:

  Decoded raw Bytes.

• static String decodeBase64String(String content)

  Decode a base64 String.

  Parameters:

  content - Base64 encoded String.

  Returns:

  A decoded String.

• static byte[] decodeBase64UrlBytes(String content)

  Decode a URL safe base64 String into Bytes.

  Parameters:

  content - URL safe base64 encoded String.

  Returns:

  Decoded raw Bytes.

• String decodeBase64UrlString(String content)

  Decode a URL safe base64 String into a String.

  Parameters:

  content - A URL safe base64 encoded String.

  Returns:

  A decoded String.

• @Deprecated static String decryptWithAES256(byte[] secret, byte[] iv, byte[] data, Integer hash_iterations = DEFAULT_AES_ITERATIONS)

  Decrypt ciphertext using AES-256 CBC mode with PKCS5 padding. The IV is hashed with multiple iterations of SHA-256.

  deprecated:

  Use decryptWithAES256GCM(byte[], byte[]) instead. AES-CBC is vulnerable to padding oracle attacks and lacks authentication.

  See Also:

  DEFAULT_AES_ITERATIONS

  Java Cryptography Architecture (JCA) Reference Guide for Cipher class

  Java Security Standard Algorithm Names.

  Parameters:

  secret - Secret key for decrypting. If byte-count is less than 32 (256-bits), then bytes are repeated until 256 bits are available.

  iv - Initialization vector (IV) used to initialize the cipher.

  data - Data to be encrypted with AES-256.

  hash_iterations - The IV is hashed with SHA-256. For each iteration the iv is combined with the previous iteration result of the hashing. The resulting bytes are fed into PBKDF2WithHmacSHA256 resulting in a new initialization vector. If set to 0, then hashing is skipped and the original iv is used for AES cipher initialization.

• @Deprecated static String decryptWithAES256(String passphrase, String data, Integer hash_iterations = DEFAULT_AES_ITERATIONS)

  Decrypts ciphertext with AES-256 using a passphrase. See the encrypt method for more details on both algorithms and usage.

  deprecated:

  Use decryptWithPassphraseGCM(java.lang.String, java.lang.String) instead. AES-CBC is vulnerable to padding oracle attacks, lacks authentication, and uses deterministic IV/salt derived from passphrase.

  See Also:

  DEFAULT_AES_ITERATIONS

  encryptWithAES256 using passphrase method

  decryptWithAES256 AES deciphering details

  Parameters:

  passphrase - A passphrase used to decrypt AES-256 ciphertext. See encrypt method for more details.

  data - Base64 encoded ciphertext to be decrypted.

  hash_iterations - The number of iterations the AES-256 initialization vector (IV) is hashed with SHA-256. The minimum iterations allowed is 1 for password-based encryption.

• @Deprecated static String decryptWithAES256Base64(String secret, String iv, String data, Integer hash_iterations = DEFAULT_AES_ITERATIONS)

  Takes Base64 encoded secret and IV and decrypts the provided Base64 encoded String data.

  deprecated:

  Use decryptWithAES256GCMBase64(java.lang.String, java.lang.String) instead. AES-CBC is vulnerable to padding oracle attacks and lacks authentication.

  See Also:

  encryptWithAES256(byte[], byte[], java.lang.String, java.lang.Integer)

  Parameters:

  secret - Base64 encoded binary secret.

  iv - Base64 encoded binary initialization vector (IV).

  data - Base64 encoded encrypted bytes to decrypt.

  Returns:

  A String which is plaintext.

• static String decryptWithAES256GCM(byte[] secret, byte[] data)

  Decrypt ciphertext using AES-256 GCM mode with authenticated decryption. Expects the nonce (12 bytes) to be prepended to the ciphertext. GCM mode provides both confidentiality and authenticity verification.

  See Also:

  Java Cryptography Architecture (JCA) Reference Guide for Cipher class

  Java Security Standard Algorithm Names.

  Parameters:

  secret - Secret key for decrypting. If byte-count is less than 32 (256-bits), then bytes are repeated until 256 bits are available.

  data - Data to be decrypted with AES-256-GCM. Must have 12-byte nonce prepended.

  Returns:

  Decrypted plaintext String.

• static String decryptWithAES256GCMBase64(String secret, String data)

  Takes Base64 encoded secret and decrypts the provided Base64 encoded ciphertext using AES-256-GCM authenticated decryption.

  See Also:

  decryptWithAES256GCM(byte[], byte[])

  Parameters:

  secret - Base64 encoded binary secret.

  data - Base64 encoded encrypted bytes to decrypt (with nonce prepended).

  Returns:

  A String which is plaintext.

• static String decryptWithPassphraseGCM(String passphrase, String data)

  Decrypts ciphertext with AES-256-GCM using a passphrase. Expects the format: salt (32 bytes) || nonce (12 bytes) || ciphertext || auth-tag Provides authenticated decryption that verifies integrity.

  See Also:

  encryptWithPassphraseGCM using passphrase method

  decryptWithAES256GCM AES-GCM deciphering details

  Parameters:

  passphrase - A passphrase used to decrypt AES-256-GCM ciphertext.

  data - Base64 encoded ciphertext to be decrypted (with prepended salt and nonce).

  Returns:

  Decrypted plaintext String.

• static String encodeBase64(String content)

  Encode a String into a base64 String.

  Parameters:

  content - A plain String.

  Returns:

  Base64 encoded String

• static String encodeBase64(byte[] content)

  Encode raw Bytes into a base64 String.

  Parameters:

  content - Base64 encoded String.

  Returns:

  Decoded raw Bytes.

• static String encodeBase64Url(String content)

  Encode raw Bytes into a URL safe base64 String.

  Parameters:

  content - A plain String.

  Returns:

  A URL safe Base64 encoded String.

• static String encodeBase64Url(byte[] content)

  Encode raw Bytes into a URL safe base64 String.

  Parameters:

  content - Raw Bytes.

  Returns:

  A URL safe Base64 encoded String.

• @Deprecated static byte[] encryptWithAES256(byte[] secret, byte[] iv, String data, Integer hash_iterations = DEFAULT_AES_ITERATIONS)

  Encrypt plaintext using AES-256 CBC mode with PKCS5 padding. The IV is hashed with multiple iterations of SHA-256.

  deprecated:

  Use encryptWithAES256GCM(byte[], java.lang.String) instead. AES-CBC is vulnerable to padding oracle attacks and lacks authentication.

  See Also:

  DEFAULT_AES_ITERATIONS

  Java Cryptography Architecture (JCA) Reference Guide for Cipher class

  Java Security Standard Algorithm Names.

  Parameters:

  secret - Secret key for decrypting. If byte-count is less than 32 (256-bits), then bytes are repeated until 256 bits are available.

  iv - Initialization vector (IV) used to initialize the cipher.

  data - Data to be encrypted with AES-256.

  hash_iterations - The IV is hashed with SHA-256. For each iteration the iv is combined with the previous iteration result of the hashing. The resulting bytes are fed into PBKDF2WithHmacSHA256 resulting in a new initialization vector. If set to 0, then hashing is skipped and the original iv is used for AES cipher initialization.

• @Deprecated static String encryptWithAES256(String passphrase, String data, Integer hash_iterations = DEFAULT_AES_ITERATIONS)

  Encrypts String data with AES-256 using a passphrase.

  Sample usage

  
  import net.gleske.jervis.tools.SecurityIO
  import java.time.Instant
  
  Long time(Closure c) {
      Long before = Instant.now().epochSecond
      c()
      Long after = Instant.now().epochSecond
      after - before
  }
  
  String encrypted
  Long timing1 = time {
      encrypted = SecurityIO.encryptWithAES256('correct horse battery staple', 'My secret data')
  }
  
  
  println("Encrypted text: ${encrypted}")
  Long timing2 = time {
      println("Decrypted text: ${SecurityIO.decryptWithAES256('correct horse battery staple', encrypted)}")
  }
  
  println "Encrypt time: ${timing1} second(s)\nDecrypt time: ${timing2} second(s)"
  

  deprecated:

  Use encryptWithPassphraseGCM(java.lang.String, java.lang.String) instead. AES-CBC is vulnerable to padding oracle attacks, lacks authentication, and uses deterministic IV/salt derived from passphrase.

  See Also:

  DEFAULT_AES_ITERATIONS

  encryptWithAES256 AES enciphering details

  Java Cryptography Architecture (JCA) Reference Guide for SecretKeyFactory class

  SecretKeyFactory algorithm names

  Recommendation for Password-Based Key Derivation Part 1: Storage Applications; Published: December 22, 2010; Citation: Special Publication (NIST SP) - 800-132

  Parameters:

  passphrase - A passphrase used to generate AES keys for encryption. The passphrase creates an AES key using PBKDF2WithHmacSHA256, a salt created from passphrase checksum, and variable PBKDF2 iterations based on passphrase checksum. The PBKDF2 iterations are between 100100 and 960000.

  data - Data to be encrypted.

  hash_iterations - The number of iterations the AES-256 initialization vector (IV) is hashed with SHA-256. The minimum iterations allowed is 1 for password-based encryption.

• @Deprecated static String encryptWithAES256Base64(String secret, String iv, String data, Integer hash_iterations = DEFAULT_AES_ITERATIONS)

  Takes Base64 encoded secret and IV and encrypts the provided String data.

  deprecated:

  Use encryptWithAES256GCMBase64(java.lang.String, java.lang.String) instead. AES-CBC is vulnerable to padding oracle attacks and lacks authentication.

  See Also:

  encryptWithAES256(byte[], byte[], java.lang.String, java.lang.Integer)

  Parameters:

  secret - Base64 encoded binary secret.

  iv - Base64 encoded binary initialization vector (IV).

  data - A plain String to be encrypted (not Base64 encoded).

• static byte[] encryptWithAES256GCM(byte[] secret, String data)

  Encrypt plaintext using AES-256 GCM mode with authenticated encryption. Uses a random 12-byte nonce which is prepended to the ciphertext. GCM mode provides both confidentiality and authenticity.

  See Also:

  Java Cryptography Architecture (JCA) Reference Guide for Cipher class

  Java Security Standard Algorithm Names.

  Parameters:

  secret - Secret key for encrypting. If byte-count is less than 32 (256-bits), then bytes are repeated until 256 bits are available.

  data - Data to be encrypted with AES-256-GCM.

  Returns:

  Ciphertext with 12-byte nonce prepended (nonce || ciphertext || auth-tag).

• static String encryptWithAES256GCMBase64(String secret, String data)

  Takes Base64 encoded secret and encrypts the provided String data using AES-256-GCM authenticated encryption.

  See Also:

  encryptWithAES256GCM(byte[], java.lang.String)

  Parameters:

  secret - Base64 encoded binary secret.

  data - A plain String to be encrypted (not Base64 encoded).

  Returns:

  Base64 encoded ciphertext with nonce prepended.

• static String encryptWithPassphraseGCM(String passphrase, String data)

  Encrypts String data with AES-256-GCM using a passphrase. Uses a random 32-byte salt which is prepended to the ciphertext. Provides authenticated encryption for both confidentiality and integrity.

  Sample usage

  
  import net.gleske.jervis.tools.SecurityIO
  import java.time.Instant
  
  Long time(Closure c) {
      Long before = Instant.now().epochSecond
      c()
      Long after = Instant.now().epochSecond
      after - before
  }
  
  String encrypted
  Long timing1 = time {
      encrypted = SecurityIO.encryptWithPassphraseGCM('correct horse battery staple', 'My secret data')
  }
  
  println("Encrypted text: ${encrypted}")
  Long timing2 = time {
      println("Decrypted text: ${SecurityIO.decryptWithPassphraseGCM('correct horse battery staple', encrypted)}")
  }
  
  println "Encrypt time: ${timing1} second(s)\nDecrypt time: ${timing2} second(s)"
  

  See Also:

  encryptWithAES256GCM AES-GCM enciphering details

  Java Cryptography Architecture (JCA) Reference Guide for SecretKeyFactory class

  SecretKeyFactory algorithm names

  Recommendation for Password-Based Key Derivation Part 1: Storage Applications; Published: December 22, 2010; Citation: Special Publication (NIST SP) - 800-132

  Parameters:

  passphrase - A passphrase used to generate AES keys for encryption. The passphrase creates an AES key using PBKDF2WithHmacSHA256, a random 32-byte salt, and variable PBKDF2 iterations based on passphrase checksum. The PBKDF2 iterations are between 100100 and 960000. The random salt is prepended to the ciphertext.

  data - Data to be encrypted.

  Returns:

  Base64 encoded ciphertext with format: salt (32 bytes) || nonce (12 bytes) || ciphertext || auth-tag

• String getGitHubJWT(String github_app_id, Integer expiration = 10, Integer drift = 30)

  Get a JSON Web Token (JWT) meant for use with GitHub App Authentication. This assumes the SecurityIO class was loaded with an RSA private key provided by GitHub App Authentication setup.

  Sample usage

  The following code will generate a JWT, verify it, and extract its payload contents.

  
  import net.gleske.jervis.tools.SecurityIO
  
  if(!(new File('/tmp/id_rsa').exists())) {
      'openssl genrsa -out /tmp/id_rsa 4096'.execute().waitFor()
      'openssl rsa -in /tmp/id_rsa -pubout -outform pem -out /tmp/id_rsa.pub'.execute().waitFor()
  }
  def security = new SecurityIO(new File("/tmp/id_rsa").text)
  // use a fake App ID of 1234
  String jwt = security.getGitHubJWT('1234')
  if(security.verifyGitHubJWTPayload(jwt)) {
      println('JWT is currently valid.')
  } else {
      println('JWT is invalid or expired.')
  }
  
  // Issue a 1 minute duration JWT, using clock drift 2 minutes in the past so that it is expired
  jwt = security.getGitHubJWT('1234', 1, 120)
  if(security.verifyGitHubJWTPayload(jwt)) {
      println('JWT is currently valid.')
  } else {
      println('JWT is invalid or expired.')
  }
  

  Parameters:

  github_app_id - The GitHub App ID available when generating a GitHub App.

  expiration - The duration of the JWT in minutes before the JWT expires. The maximum value supported by GitHub is 10 minutes. Minimum expiration is 1 minute. Default: 10 minutes.

  drift - Number of seconds in the past used as the starting point of the JWT. This is to account for clock drift between two remote systems as a conservative measure. If the drift is set for 30 seconds that means the issues JWT will expire in 9 minutes, 30 seconds in the future (10 minutes total if you include 30 seconds for clock drift). Default: 30 seconds.

  Returns:

  Returns a signed JWT. This does not guarantee a valid token just that a token is issued and signed. Use verifyGitHubJWTPayload(java.lang.String, java.lang.Integer) method to verify the token is valid given the current time.

• Integer getRsa_keysize()

  Returns the calculated RSA private key size in bits calculated from the key_pair. e.g. a 4096-bit RSA key will return 4096.

  Sample usage

  
  import net.gleske.jervis.tools.SecurityIO
  def security = new SecurityIO(new File("/tmp/id_rsa").text)
  println "Key size: ${security.rsa_keysize}"
  

  returns:

  Key size of the private key if key_pair is set. If no private key, then returns 0.

• static Boolean isBase64(String s)

  Check if String is valid base64 according to RFC 4648.

  Parameters:

  s - Check if String is similar to valid base64 encoding.

  Returns:

  true if it looks like valid base64 or false if not.

• static Boolean isSecureField(def field)

  Checks to see if a field in the Jervis YAML is a secure field. If it is then decryption should be attempted. This only detects of decryption is plausible.

  Parameters:

  property - A simple object that can take multiple types to check against.

  Returns:

  Returns true if the field can potentially be decrypted.

• static byte[] padForAES256(byte[] input)

  Repeats the input bytes until enough bytes are provided for AES-256.

  Parameters:

  input - Bytes to be repeated.

• static byte[] randomBytes(int size)

  Returns a random of bytes.

  Parameters:

  size - Number of random bytes to generate.

  Returns:

  Random bytes provided by NativePRNGNonBlocking.

• static String randomBytesBase64(int size)

  Base64 encoded random bytes.

  See Also:

  Java Security Standard Algorithm Names.

  Parameters:

  size - Number of random bytes to generate.

  Returns:

  Random bytes wrapped with Base64 encoding.

• @Deprecated String rsaDecrypt(String ciphertext)

  Uses RSA asymmetric encryption to decrypt a ciphertext String and outputs plain text. For third party reference, this is essentially executing the following commands in a terminal.

  
  echo 'ciphertext' | openssl enc -base64 -A -d | openssl rsautl -decrypt -inkey /tmp/id_rsa
  

  deprecated:

  Use rsaDecryptOaep(java.lang.String) instead. PKCS1 padding is vulnerable to Bleichenbacher padding oracle attacks.

  Parameters:

  ciphertext - A Base64 encoded ciphertext String to be decrypted.

  Returns:

  A plain text String or more generically: plaintext = RSAPrivateKeyDecrypt(base64decode(ciphertext))

• @Deprecated byte[] rsaDecryptBytes(byte[] cipherbytes)

  Uses RSA asymmetric encryption to decrypt enciphered bytes and returns plain bytes.

  deprecated:

  Use rsaDecryptBytesOaep(byte[]) instead. PKCS1 padding is vulnerable to Bleichenbacher padding oracle attacks.

  Parameters:

  cipherbytes - Encrypted bytes.

  Returns:

  Returns decrypted bytes.

• byte[] rsaDecryptBytesOaep(byte[] cipherbytes)

  Uses RSA asymmetric encryption with OAEP padding to decrypt enciphered bytes. OAEP padding is recommended over PKCS1 padding to prevent Bleichenbacher attacks.

  Parameters:

  cipherbytes - Encrypted bytes.

  Returns:

  Returns decrypted bytes.

• String rsaDecryptOaep(String ciphertext)

  Uses RSA asymmetric encryption with OAEP padding to decrypt a ciphertext String. OAEP padding is recommended over PKCS1 padding to prevent Bleichenbacher attacks.

  Parameters:

  ciphertext - A Base64 encoded ciphertext String to be decrypted.

  Returns:

  A plain text String.

• @Deprecated String rsaEncrypt(String plaintext)

  Uses RSA asymmetric encryption to encrypt a plain text String and outputs ciphertext. For third party reference, this is essentially executing the following commands in a terminal.

  
  echo -n 'plaintext' | openssl rsautl -encrypt -inkey ./id_rsa.pub -pubin | openssl enc -base64 -A
  

  deprecated:

  Use rsaEncryptOaep(java.lang.String) instead. PKCS1 padding is vulnerable to Bleichenbacher padding oracle attacks.

  Parameters:

  plaintext - A plain text String to be encrypted.

  Returns:

  A Base64 encoded ciphertext or more generically: ciphertext = base64encode(RSAPublicKeyEncrypt(plaintext))

• @Deprecated byte[] rsaEncryptBytes(byte[] plainbytes)

  Uses RSA asymmetric encryption to encrypt a plain bytes and outputs enciphered bytes.

  deprecated:

  Use rsaEncryptBytesOaep(byte[]) instead. PKCS1 padding is vulnerable to Bleichenbacher padding oracle attacks.

  Parameters:

  plainbytes - Plain bytes to be encrypted.

  Returns:

  Enciphered bytes are returned.

• byte[] rsaEncryptBytesOaep(byte[] plainbytes)

  Uses RSA asymmetric encryption with OAEP padding to encrypt plain bytes. OAEP padding is recommended over PKCS1 padding to prevent Bleichenbacher attacks.

  Parameters:

  plainbytes - Plain bytes to be encrypted.

  Returns:

  Enciphered bytes are returned.

• String rsaEncryptOaep(String plaintext)

  Uses RSA asymmetric encryption with OAEP padding to encrypt a plain text String. OAEP padding is recommended over PKCS1 padding to prevent Bleichenbacher attacks.

  Parameters:

  plaintext - A plain text String to be encrypted.

  Returns:

  A Base64 encoded ciphertext.

• void setKey_pair(String pem)

  Sets key_pair by decoding the String.

  Parameters:

  pem - An X.509 PEM encoded RSA private key.

• static String sha256Sum(String input)

  Calculates SHA-256 sum from a String.

  Parameters:

  input - A String to calculate a SHA-256 digest.

  Returns:

  A SHA-256 hex String.

• static String sha256Sum(byte[] input)

  Calculates SHA-256 sum from a byte-array.

  Parameters:

  input - A String to calculate a SHA-256 digest.

  Returns:

  A SHA-256 hex String.

• String signRS256Base64Url(String data)

  Creates a URL safe base64 string of a signature using algorithm RS256. This data signature is meant for use in JSON Web Tokens.

  Parameters:

  data - Any data meant to be signed with RS256 algorithm.

  Returns:

  Returns a URL safe base64 encoded String of the signature.

• Boolean verifyGitHubJWTPayload(String github_jwt, Integer drift = 30)

  Verify a GitHub JWT is not expired by checking the signature and ensuring current time falls within issued at and expiration. This does both signature checking and decoding the payload to check for validity. See also GitHub App Authentication.

  Parameters:

  github_jwt - A JWT meant for use in GitHub App Auth.

  drift - Add seconds into the future in order to account for clock drift. If 30 seconds are added that means this will assume a token expires 30 seconds before it really expires. If you issue a token with a 30 second drift and verify the token with a 30 second drift then the maximum duration for a token is 9 minutes. Default: 30 seconds.

• Boolean verifyJsonWebToken(String github_jwt)

  Use the loaded public key to verify the provided JSON web token (JWT).

  Parameters:

  jwt - A JSON Web Token meant for authentication.

  Returns:

  Returns true if the signature was successfully verified or false if signature verification failed.

• Boolean verifyRS256Base64Url(String signature, String data)

  Verify data signed by RS256 Base64 URL encoded signature.

  Parameters:

  signature - A Base64 URL encoded signature of RS256 algorithm.

  data - The data in which the signature should verify.

  Returns:

  Returns true if the signature was successfully verified or false if signature verification failed.